Go to the documentation of this file.
52 #define PARSE_REGEX "^\\s*!?([^\\s,]+)\\s*(,\\s*relative)?\\s*(,\\s*rawbytes\\s*)?\\s*$"
58 static void DetectIsdataatRegisterTests(
void);
100 char *args[3] = {NULL,NULL,NULL};
105 pcre2_match_data *match = NULL;
107 if (ret < 1 || ret > 4) {
108 SCLogError(
"pcre_exec parse error, ret %" PRId32
", string %s", ret, isdataatstr);
114 res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
116 SCLogError(
"pcre2_substring_get_bynumber failed");
119 args[0] = (
char *)str_ptr;
123 res = pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
125 SCLogError(
"pcre2_substring_get_bynumber failed");
128 args[1] = (
char *)str_ptr;
131 res = pcre2_substring_get_bynumber(match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
133 SCLogError(
"pcre2_substring_get_bynumber failed");
136 args[2] = (
char *)str_ptr;
146 if (args[0][0] !=
'-' && isalpha((
unsigned char)args[0][0])) {
149 "var name for offset. \"offset\" argument supplied to "
150 "this function has to be non-NULL");
158 strlen(args[0]), args[0]) < 0 ) {
166 if (args[1] !=NULL) {
173 if (isdataatstr[0] ==
'!') {
177 for (i = 0; i < (ret -1); i++) {
179 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
182 pcre2_match_data_free(match);
189 pcre2_match_data_free(match);
191 for (i = 0; i < (ret -1) && i < 3; i++){
193 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
220 idad = DetectIsdataatParse(
de_ctx, isdataatstr, &
offset);
253 "seen in isdataat - %s\n",
288 if (prev_pm == NULL) {
331 "preceding content option");
346 static int g_dce_stub_data_buffer_id = 0;
352 static int DetectIsdataatTestParse01 (
void)
356 idad = DetectIsdataatParse(NULL,
"30 ", NULL);
369 static int DetectIsdataatTestParse02 (
void)
373 idad = DetectIsdataatParse(NULL,
"30 , relative", NULL);
386 static int DetectIsdataatTestParse03 (
void)
390 idad = DetectIsdataatParse(NULL,
"30,relative, rawbytes ", NULL);
402 static int DetectIsdataatTestParse04(
void)
428 static int DetectIsdataatTestParse06(
void)
435 "(msg:\"Testing bytejump_body\"; "
437 "isdataat:!4,relative; sid:1;)");
451 "(msg:\"Testing bytejump_body\"; "
453 "isdataat: !4,relative; sid:2;)");
473 static int DetectIsdataatTestPacket01 (
void)
476 uint8_t *buf = (uint8_t *)
"Hi all!";
477 uint16_t buflen = strlen((
char *)buf);
483 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
487 sigs[0]=
"alert ip any any -> any any (msg:\"Testing window 1\"; isdataat:6; sid:1;)";
488 sigs[1]=
"alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; sid:2;)";
489 sigs[2]=
"alert ip any any -> any any (msg:\"Testing window 3\"; isdataat:8; sid:3;)";
490 sigs[3]=
"alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; sid:4;)";
491 sigs[4]=
"alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; sid:5;)";
493 uint32_t sid[5] = {1, 2, 3, 4, 5};
515 static int DetectIsdataatTestPacket02 (
void)
518 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
519 "User-Agent: Wget/1.11.4"
521 "Host: www.google.com"
522 "Connection: Keep-Alive"
523 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
524 uint16_t buflen = strlen((
char *)buf);
531 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with"
532 " isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
533 "DullBoy/\"; isdataat:96,relative; sid:1;)";
547 static int DetectIsdataatTestPacket03 (
void)
550 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
551 "User-Agent: Wget/1.11.4"
553 "Host: www.google.com"
554 "Connection: Keep-Alive"
555 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
556 uint16_t buflen = strlen((
char *)buf);
563 char sig[] =
"alert tcp any any -> any any (msg:\"byte_jump match = 0 "
564 "with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
565 "46,string,dec; isdataat:87,relative; sid:109; rev:1;)";
577 void DetectIsdataatRegisterTests(
void)
581 UtRegisterTest(
"DetectIsdataatTestParse01", DetectIsdataatTestParse01);
582 UtRegisterTest(
"DetectIsdataatTestParse02", DetectIsdataatTestParse02);
583 UtRegisterTest(
"DetectIsdataatTestParse03", DetectIsdataatTestParse03);
584 UtRegisterTest(
"DetectIsdataatTestParse04", DetectIsdataatTestParse04);
585 UtRegisterTest(
"DetectIsdataatTestParse06", DetectIsdataatTestParse06);
587 UtRegisterTest(
"DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
588 UtRegisterTest(
"DetectIsdataatTestPacket02", DetectIsdataatTestPacket02);
589 UtRegisterTest(
"DetectIsdataatTestPacket03", DetectIsdataatTestPacket03);
#define DETECT_CONTENT_RELATIVE_NEXT
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void(* Free)(DetectEngineCtx *, void *)
int DetectIsdataatSetup(DetectEngineCtx *, Signature *, const char *)
This function is used to add the parsed isdataatdata into the current signature.
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
#define ISDATAAT_OFFSET_VAR
void SigFree(DetectEngineCtx *, Signature *)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
struct DetectRfbSecresult_ results[]
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int UTHPacketMatchSig(Packet *p, const char *sig)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define PARSE_REGEX
Regex for parsing our isdataat options.
uint8_t DetectByteIndexType
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int DetectBufferTypeGetByName(const char *name)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define DETECT_CONTENT_ENDS_WITH
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
#define ISDATAAT_RELATIVE
SignatureInitData * init_data
#define ISDATAAT_RAWBYTES
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_SM_LIST_NOTSET
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index)
Used to retrieve args from BM.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perform a generic check taking care of as maximum common unittest eleme...
#define SCLogError(...)
Macro used to log ERROR messages.
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
#define DETECT_PCRE_RELATIVE_NEXT
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Signature * SigAlloc(void)
void DetectIsdataatFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIsdataatData
void(* RegisterTests)(void)
void DetectIsdataatRegister(void)
Registration function for isdataat: keyword.
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.